Joseph Salowey <j...@salowey.net> writes: > The last call has come and gone without any comment. Please indicate if > you have reviewed the draft even if you do not have issues to raise so the > chairs can see who has reviewed it. Also indicate if you have any plans to > implement the draft.
I looked at the draft. My understanding of the draft (and I think it would have helped if it contained a diagram showing the resulting TLS handshake) is that it's specifying the existing psk_dhe_ke flow, to which it adds a certificate-based signature over the handshake, which it doesn't specify but works the same way as in RFC 8446 when there is no PSK. This is somewhat confusing because the draft is written as if it starts with a certificate-based TLS flow and somehow adds a PSK; it repeats all the RFC 8446 PSK machinery, but doesn't explain how the certificate interacts with it, and raises questions like "are there two DH operations or just one?". I think the draft could have been a lot shorter. Conversely, one area where the draft could have been longer would be to explain how exactly this produces quantum-resistance in the presence of a secret shared key. It appears that it relies on the HKDF-Expand function being quantum-resistant. That seems like an important thing to document, given that we don't have fully functional quantum cryptanalysis yet and so don't know exactly what might be quantum-resistant or not. However, once you're past that, the resulting protocol seems quite simple (as an addition to psk_dhe_ke) and I have no objections to it. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls